• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

Webmail Redirect Quit Working

Our bridgehead server (Exchange 2000) redirects to a secure port on another Exchange 2000 server for webmail access. We used to only have authenticate once to gain access. Now we are prompted twice. I verified that the method of authentication and the redirect settings are still in place and they are. We are also getting a cerificate window popping up before the login window which never used to happen before. Has anybody had any experience with this? Please advise. Thanks!
0
gfcnetwork
Asked:
gfcnetwork
  • 7
  • 6
1 Solution
 
SembeeCommented:
When the certificate prompt comes up, what does it say is the reason for the failure? Has your certificate expired?

Simon.
0
 
gfcnetworkAuthor Commented:
It is saying that the certificate has expired or is not valid. Would that be the cause of the lack of redirect?
0
 
SembeeCommented:
There is a good chance that would break something. You need to get the certificate renewed.

What do you mean by redirect? Are you using a frontend/backend scenario?

Simon.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
gfcnetworkAuthor Commented:
I renewed the certificate and now, when testing from within the network, webmail prompts twice for authentication. Once at the "external" web address for our webmail and once at the server that hosts the mailboxes. From outside the network, only one login is needed. Is there an explanation for why this changed?
0
 
SembeeCommented:
Are you using a frontend/backend scenario? Something else that is proxying the connection?

Simon.
0
 
gfcnetworkAuthor Commented:
We have a bridgehead server and that server is acting as the first point of contact. That server redirects to another server that actually holds the mailbox store. Is that the information that you are looking for? Thanks!
0
 
SembeeCommented:
You haven't answered my question.

Is this a frontend/backend scenario?
Is the server an Exchange server or something else?
A bridgehead server could be anything.

Simon.
0
 
gfcnetworkAuthor Commented:
I do not believe we are not using a frontend/backend scenario. I would be able to access the server by host name if needed to get to webmail. If you could clarify what you are looking for that would be great. What exactly makes it a frontend/backend setup?
Yes, both servers previously referenced are Exchange servers
0
 
SembeeCommented:
In a frontend/backend scenario you have a single server that provides OWA for all of the backend servers. This is configured as a frontend server, which is simply a matter of enabling an option in ESM. With Exchange 2000 the frontend server had to be an Enterprise Edition server - which meant their deployment wasn't as widespread.

If you do not have a frontend server, but users hit the first server for OWA access, then Exchange will attempt to redirect the user to the correct server. The redirect will be to the server's real name. That means that the server's real name must be resolvable on the internet.

In a frontend/backend scenario the user is not redirected and you don't have to worry about the server's real name resolving on the internet. It allows you to use an alias for OWA access and have an SSL certificate issued to the alias.

I don't deploy multiple Exchange servers without a frontend server because the redirection causes problems. If the site has used .local then it cannot be done. If the site has used a domain name that isn't theirs, then it cannot be done. If the site only has one IP address, then it cannot be done.

Is your backend server accessible directly over the internet by its real name?

Simon.
0
 
gfcnetworkAuthor Commented:
We are not using a true frontend/backend scenario. We are using the second scenario you describe. We have a web address that is hit by all users, and then users are redirected to the server that actually holds their mailbox. We have 6 servers that this could be. We have an SSL cert installed on both the server that users hit first and on each "mailbox" server.

We are able to go straght to the "mailbox" server by name.

The issue that we are trying to resolve is that no second authentication used to be needed for one of our Exchange servers, now it is, but only if trying to reach it from within our network. From the general Internet, no second authentication is needed for this particular server. On our other 5 servers, a second authentication is needed from the Internet.

I am trying to figure out why we suddenly need the second authentication from within our network for the one server and why from the Internet the same server does not need the second authentication, but all of our other ones do.

We have a mix of Exchange 2000 and Exchange 2003. The server that needs a second authentication from within our network, but not from the Internet is running Exchange 2000, fully patched.

I hope that I didn't confuse things more. Any ideas would be great! Thanks!
0
 
SembeeCommented:
Any reason you are not using a frontend/backend? Considering that you have a mixed site you could easily stand-up a single standard Exchange 2003 server to act as a frontend.

As for your question - I have no idea. I do not deploy that scenario. As soon as the client introduces a second Exchange mailbox server it is almost mandatory to have a frontend server. It also saves having multiple servers exposed to the internet.

Considering what is happening, I am surprised that you were only getting a single prompt, because as you are not using a frontend/backend scenario there is nothing to pass the credentials across. You may well have had it working despite the configuration, not because of something that you have done, and a recent security update in either windows or Exchange, either server side or client side has fixed the flaw and broken this functionality.

Simon.
0
 
gfcnetworkAuthor Commented:
This is just how the system was set up when I inherited it. Do you have any links for articles on how to implement the frontend/backend scenario. Would it also be able to be used as a bridgehead or would I need a seperate server for that?
0
 
SembeeCommented:
This is the official white paper on frontend/backend:

http://www.microsoft.com/downloads/details.aspx?familyid=E64666FC-42B7-48A1-AB85-3C8327D77B70&displaylang=en

You can use a frontend as the single point of entry - the bridgehead server. That is often how I deploy frontend servers - I use the for everything that comes in to the Exchange org - OWA, RPC over HTTPS, Mobile, SMTP, POP3 etc.

A frontend needs to be the same or higher than your backend servers, so even if you have only the one Exchange 2003 backend server you need to have your frontends on the Exchange 2003 version.

Simon.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now